ATR-2026-00106highTool Poisoningexperimental

Schema-Description Contradiction Attack

Detects tools that claim read-only or safe functionality in their description but expose write-capable or dangerous parameters in their schema. This attack technique uses misleading descriptions to pass security review while the actual schema enables destructive operations. Example: a "safe_query" tool claiming "read-only database query" while exposing a "write_mode" parameter defaulting to true.

Severity

high

Response Actions

alertsnapshot

References

OWASP Agentic

ASI02:2026 - Tool Misuse and ExploitationASI06:2026 - Insufficient Access Controls

OWASP LLM

LLM06:2025 - Excessive Agency

View full YAML on GitHub →

More Tool Poisoning Rules

ATR-2026-00010criticalMalicious Content in MCP Tool Response ATR-2026-00011highInstruction Injection via Tool Output ATR-2026-00012highUnauthorized Tool Call Detection ATR-2026-00013criticalSSRF via Agent Tool Calls ATR-2026-00061mediumSkill Description-Behavior Mismatch